12.3 Cryptographic Attacks

Identify and exploit weaknesses in the software that implements the
cryptographic solution

We discuss each of these techniques in the following sections, but
the key point to remember is that cryptography is vulnerable to
attack, and does not provide invincible security. The passage of time
weakens cryptographic security. Once Eve has intercepted a message
from Alice, she can attack the cryptography at her leisure;
therefore, Alice and Bob must assume that at some point Eve will be
able to read the contents of that message.

12.3.1 Brute Force Attacks, Theft, and Guessing

A brute force attack is the process of trying
every possible key to determine which key Alice used. Modern
cryptography is based on mathematical algorithms using numerical
keys. The length of the key (the number of digits) determines how
many possible keys there can be. If there are only 10 possible keys,
Eve has to try to decrypt the message at most 10 times before she
finds the key that Alice uses.

The cryptographic algorithms that we discuss in this book have
different key sizes, some of them allowing ranges that are so big
that it could take many hundreds of thousands of years to check all
of the possible keys that Alice may have used. However, Eve has
history on her side; the speed at which computers can test keys has
increased enormously in recent years, and there is no reason why this
should change in the future. Computing-performance increases will
allow Eve to check more keys each day, or completely new techniques
may be devised for attempting to guess keys, allowing her to test all
of the combinations in a fraction of the time. Alternately, Eve may
create a global network of computers and coordinate the guesses to
speed up the attack using current technology.

Instead of using brute force, Eve may try to steal the key from Alice
or Bob, either by tricking them into revealing the secret, or by
intimidation and violence. While it is more likely that trickery
would be used, we have to bear in mind that some information is of
limitless value, and using violence to force Alice or Bob into
revealing the key is not inconceivable.

Finally, Eve may just guess the key. Eve has to be lucky only once to
be able to beat huge odds and guess the right key; the odds of her
guessing correctly are extremely low, but that is the very nature of
being lucky.

12.3.2 Cryptanalysis

Cryptanalysis
is the study of the algorithms that Alice and Bob have used, looking
for weaknesses that can be exploited to reveal the messages or the
keys that have been used. By the time that new cryptographic
algorithms enter commercial use, they have been subjected to
extensive cryptanalysis by security researchers and interested
mathematicians, and are generally regarded to contain no obvious
flaws.

However, just because there are no publicly known flaws does not mean
that none will be discovered in the future or even that some flaws
are already known, but they are being kept secret by people like Eve
in order to lull Alice and Bob into a false sense of security.
Cryptography is a dynamic area; new algorithms are developed and old
ones are found to be insecure. Alice and Bob cannot rely on their
selected algorithm to remain secure forever.

12.3.3 Software Bugs

Even if
Eve is unable to discover the key or
find a weakness in the cryptographic algorithm, she may be able to
exploit a bug in the software that Alice and Bob use to perform their
cryptography.

Although new cryptographic theories are rigorously debated and tested
before they are considered to be secure, the software that implements
the theory is often untested and insecure. If Eve can find a weakness
in the software, she may be able to exploit it to obtain the keys
that Alice and Bob are using.

The most common problem with security software is that complex
algorithms are not correctly implemented or are used in such a way as
to make them much less secure than they should be, as in
inadvertently discarding some of the key that Alice has created,
thereby reducing the number of guesses that Eve has to make.

When Alice and Bob select cryptographic software, they must be
confidant that their security will not be compromised by programming
errors.